The Check Point mobile threat prevention research team discovered a new Android malware on Google Play, called “DressCode,” which was embedded into more than 40 apps, and found in more than 400 additional apps on third party app stores. Check Point notified Google about the malicious apps, and some have already been removed from Google Play.

The oldest apps were uploaded to Google Play on April 2016, where they remained undetected until recently. Some of the apps reached between 100,000 and 500,000 downloads each. Between 500,000 and 2,000,000 users downloaded the malicious apps from Google Play.

Dress code 1

Figure 1: One of the malicious apps found on Google Play.

Similar to Viking Horde, DressCode creates a botnet that uses proxied IP addresses, which Check Point researchers suspect were used to disguise ad clicks and generate false traffic, generating revenue for the attacker. A botnet is a group of devices controlled by hackers without the knowledge of their owners. The bots can be used for various reasons based on the distributed computing capabilities of all the devices. The larger the botnet, the greater its capabilities.

Once installed on the device, DressCode initiates communication with its command and control server. Currently, after the initial connection is established, the C&C server orders the malware to “sleep,” to keep it dormant until there’s a use for the infected device. When the attacker wants to activate the malware, he can turn the device into a socks proxy, rerouting traffic through it.

Below are pictures of additional samples of the DressCode Malware, as found on Google Play:

Dress code 3

 

So, why should you be concerned about such malware?

Both Viking Horde and DressCode malware create botnets which can be used for various purposes, and even to infiltrate internal networks. Since the malware allows the attacker to route communications through the victim’s device, the attacker can access any internal network to which the device belongs. This can compromise security for enterprises and organizations.

To demonstrate how this could be achieved, Check Point researchers created a video , showing how attackers could potentially use the DressCode malware to access an internal network and retrieve sensitive files from it.

Appendix – Package names found on Google Play

  • com.dark.kazy.goddess.lp
  • com.whispering.kazy.spirits.pih
  • com.shelter.kazy.ghost.jkv
  • com.forsaken.kazy.game.house
  • com.dress.up.Musa.Winx.Stella.Tecna.Bloom.Flora
  • com.dress.up.princess.Apple.White.Raven.Queen.Ashlynn.Ella.Ever.After.High
  • com.monster.high.Dracubecca.freaky.Fusion.draculaura
  • com.dress.up.Cerise.Hood.Raven.Queen.Apple.White.Ever.After.Monster.High
  • com.ever.after.high.Swan.Duchess.barbie.game
  • com.cute.dressup.anime.waitress
  • com.rapunzel.naughty.or.nice
  • guide.slither.skins
  • clash.royale.guide
  • guide.lenses.snapchat
  • com.minecraft.skins.superhero
  • com.catalogstalkerskinforminecraft_.ncyc
  • com.applike.robotsskinsforminecraft
  • com.temalebedew.modgtavformcpe
  • com.manasoft.skinsforminecraftunique
  • com.romanseverny.militaryskinsforminecraft
  • com.temalebedew.animalskinsforminecraft
  • com.temalebedew.skinsoncartoonsforminecraft
  • com.str.carmodsforminecraft
  • com.hairstyles.stepbystep.yyhb
  • com.str.mapsfnafforminecraft
  • com.weave.braids.steps.txkw
  • mech.mod.mcpe
  • com.applike.animeskinsforminecraftjcxw
  • com.str.furnituremodforminecraft
  • com.vladgamerapp.skin.editor.for_.minecraft
  • ru.sgejko.horror.mv
  • com.vladgamerapp.skins.for_.minecraft.girls
  • com.zaharzorkin.cleomodsforgtasailht
  • com.temalebedew.ponyskins
  • com.my.first.date.stories
  • com.gta.mod.minecraft.raccoon
  • com.applike.hotskinsforminecraft
  • com.applike.serversforminecraftpe
  • com.zaharzorkin.pistonsmod
  • wiki.clash.guide
  • mobile.strike.guide
  • prank.calling.app
  • sonic.dash.guide

  1. Most likely the major purpose behind DressCode is to deliver Ads and perform click-fraud for financial gains. This is somewhat similar to a previously known malware Viking Horde which was also discovered by Check Point.

  2. So, how did the malware get into the apps? If it was internationally placed by the developers, then are they being prosecuted for crimes? Since these apps were posted on the Google Play store, I assume there are legit financial accounts and other info that makes it possible to track down real people.If not, please explain. THAT’S the part of the story that is never covered. Is anyone ever held accountable for placing malware in apps?

  3. Google Play has been attacked several times, they would be more cautious about this. By the way, once we checked we have installed on of those apps, what’s the next step?, eliminate the app of course, but that solves the infection?

  4. I always hear, “thanks for your service” for a passion in me that I volunteered to do. Now an IT guy I don’t hear it for that…well, not with as much respect. Even though it’s often feels as much of a feat as defending the Nation. What you guys do is in the same league. THANKS FOR YOUR SERVICE CHECKPOINT?!

  5. I love your way of expressing the blog. I would like to suggest your blog in my dude circle, so keep on updates. Thanks for sharing and keep update more info for us. Eagerly waiting for you tech service.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Please complete the equation to verify your submission. * Time limit is exhausted. Please reload the CAPTCHA.